Ever shared Dataverse data through email attachments or spreadsheets—only to wake up at 2am wondering who might have access? There’s a better, safer way that won’t make your CISO sweat, and yes, it’s built into Power Platform already. Want to know how to give partners and customers just the access they need, nothing more?Today we’re building a customer portal with Power Pages—step by step—showing you how to keep your data secure, permissioned, and controlled, all while looking like a true extension of your own brand. Let’s fix the ‘just share it’ problem, for good.Why Internal Apps Aren’t Enough: The Portal DilemmaIf you’ve ever rolled out a Power App that became the star of your internal team, you know the next question isn’t far behind. Just when you think you’ve nailed the workflow—approval processes humming, dashboards up-to-date—someone from sales, maybe even the CFO, leans in and says, “Can our customers use this too?” That single question often grinds a smooth project to a halt, transforming a tidy internal solution into a can of worms you can’t just seal shut again.Here’s the reality for most organizations leaning on Dataverse: your team has years of customer data, structured processes, and even some automation humming quietly in the background. But the minute you need to actually show any of that to someone outside your physical office or VPN, things get messy. You know, that sinking feeling when marketing wants to create an onboarding portal for new partners, or support suggests a ticketing portal for vendor issues. Of course, copying data and emailing spreadsheets takes five minutes. Fifteen minutes later, though, you’re trying to track who sent what, to whom, and where it ended up. The moment data leaves Dataverse or your app, your grip on privacy and compliance loosens.And it isn’t just theoretical risk. We’ve all heard the stories—one too many, honestly—like the finance manager who exported a batch of invoice records for a vendor and, thanks to a wonky Excel filter, ended up attaching every customer’s info instead. Suddenly your CFO’s inbox has half the company’s sensitive data sitting one accidental forward away from a competitor. If you ask a Chief Information Security Officer about the most anxiety-inducing phrase in a project, it’s probably “I just sent them the file—it seemed easier.”Now, that ease of internal sharing is deceptive. Internal Power Apps are quick wins because everyone’s part of your tenant, inheriting permissions, authentication, and policy controls without any heavy lifting. Internal users sign in, and their access is governed by tried-and-true security groups or roles you already manage. Compliance audits are routine. Data stays inside the blast walls of your identity provider. But the second you want to reach outside—open a door for a customer, a partner, or even a vendor with a custom login—every layer of security, compliance, visibility, and even branding gets complicated. See, Power Pages was Microsoft’s answer to requests for secure, external-facing portals built on top of Dataverse. But let’s be honest—most people who see the “add external users” option in Power Pages don’t realize what’s under the hood. Clicking through that wizard gives you a working website, but making it actually safe for production, keeping sensitive records hidden from prying eyes, and ensuring users only see what they’re supposed to? That’s not just an optional step—it’s a project in itself. And yet, plenty still find themselves on the wrong side of this boundary. There’s a recurring pattern: someone spins up Power Pages in a hurry, goes through the default steps, tests a few records, and it all looks fine. But then, a vendor logs in, and they’re staring at other customers’ orders or internal notes that shouldn’t be exposed. The fallout isn’t just a privacy incident; it’s lost trust, support tickets piling up, and sometimes even compliance breaches that have regulatory implications, especially for finance, healthcare, or any business bound by industry rules.The core challenge isn’t just “Can we display our Dataverse data externally?” It’s “How do we show the right data, to the right people, with the right look, without compromising on security or compliance?” The difference between emailing a report and building a real portal is more than just technology—it’s about building guardrails no one notices until something goes wrong. You can’t rely on good intentions or quick fixes. Once you switch from all-internal to external access, mistakes multiply fast. Let’s not gloss over branding, either. External portals are the face of your company—customers, vendors, or partners will judge your whole operation by the login page design, password reset flow, and whether the site “feels legit.” Anything sloppy, or that feels cobbled together, equals lost confidence. But getting branding right isn’t just a matter of a logo. Consistency with your internal identity, fonts, colors, emails—all of it reinforces that this isn’t just a side project, but a real extension of your brand promise.So the recurring question, whether you’re the admin or the project owner, isn’t just about feasibility. It’s about control. Is there a way to let customers, partners, or vendors interact directly with Dataverse data, but still fit it inside your security, privacy, and brand envelope? The answer is a qualified yes—Power Pages paired with Dataverse, when configured with intention, covers all these bases. The catch? There’s a sequence of technical and business steps that you need to nail—because skipping just one can put you right back in spreadsheet-chaos territory.So, how do you hook up Power Pages to Dataverse, surface the right data, and avoid the nightmare scenarios? The actual connection is simple. What makes or breaks your portal is the sequence of decisions you make from the first click. Let’s look at how to get that foundation right—connecting your portal to Dataverse securely and sidestepping the common pitfalls that trip up so many first-time builders.Connecting Power Pages to Dataverse—The Secure WayLet’s say your customer portal project lands on your desk. Power Pages is live, Dataverse holds the gold, and you’re ready to start plugging in tables to show off tickets, invoices, contract lists, or whatever data makes your users’ work easier. At first glance, this part feels like it should be the easiest win of the whole project. If you’ve used Power Apps before, it’s not a leap—go to the Data workspace in Power Pages Studio, click “Add table,” pick the ones you need from Dataverse, and they just appear as options for forms and lists on your new website. It’s painless. You can pull in the Contacts table, the Cases table, or even custom tables your team built last quarter. With a few clicks, you hit Publish and, technically, the portal now “just works.” That’s how most demo videos pitch it.Right here is where a lot of folks step on a rake. Because behind those three clicks, Power Pages quietly wires up permissions, access points, and sometimes leaves far more open than you expect—especially if you move fast or stick with defaults. By default, when you add Dataverse tables, Power Pages may grant site-wide or global permissions to newly added tables, depending on which options you pick. In particular, some of those tables might even be accessible to anonymous users if you don’t immediately lock things down. This isn’t always obvious, because the Studio lists all the tables, but doesn’t throw up a giant warning about who can see what until you dig into the settings.The risks aren’t hypothetical. There are incidents—real “oh no” moments—that start with an admin spinning up a test portal, pulling in the Employee table for a fast demo, and forgetting to remove it before that portal gets handed off for production. It’s not just lab data, either. One global services firm published their portal without realizing their internal HR table—complete with salary bands and contact info—was still exposed to authenticated external users, because the default web role permissions were set too broadly. That fix took a weekend, a conference call with legal, and a frantic review of audit logs to reassure the business they didn’t just cause a data breach. Nobody wants to explain that to their CISO.When you work with internal Power Apps, you can almost rely on the Azure AD bubble wrapping everything. Users get mapped security roles, and unless you grant explicit access, nothing happens outside those lines. Power Pages operates on a different plane. External users are managed as Contacts in Dataverse, and “web roles” drive what they can see and do—totally separate from your internal security roles and groups. The difference is subtle but huge: you need to decide table-by-table, row-by-row, and sometimes field-by-field just what should be visible to those logging in from outside your corporate firewall.The first time you connect a table, you’ll see Power Pages prompting you to pick which tables to surface. This is your first checkpoint. Do you really need to show the entire Case history, or just open Cases for each user? Should that custom Payments table be visible at all, or does it include sensitive payment instructions that only finance staff should see? If you choose “enable table for anonymous access,” you’re opening that data up to anyone who finds the URL—so unless it’s a public knowledge base, double-check and untick that option.Web roles form the backbone of your permission model, even at this early stage. By default, Power Pages offers some out-of-the-box web roles—Authenticated User, Anonymous User, and Admin. Don’t assume these mean the same thing as their equivalents in the rest of Microsoft 365. For example, the “Authenticated User” web role is generic and comes with minimal restrictions unless you add your own layers. Failing to assign custom web roles for customers, vendors, or partners can result in all authenticated users sharing th
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.
